Types of detection analytics
In the ESCU app, detections have the following categories:
Each yaml file for the detection in the security_content Github repository has a field called type
. These types drive the workflow on the product:
Type | Description | Example |
---|---|---|
TTP | Designed to detect a certain adversary tactic, technique, or procedure. | Attempted Credential Dump From Registry via Reg exe |
Anomaly | Triggers on behavior that is not normally observed. Anomalous might not be explicitly malicious but can be suspect. For example, detection of executables that are not run before or a process using the network which does not normally use the network. | Add Default User And Password In Registry |
Hunting | Increases the risk of an asset or entity but tends to be too noisy to generate a notable event by itself. It leverages aggregated risk from various other detections to produce a notable. Also known as hunting queries. | 7zip CommandLine To SMB Share Path |
Correlation | Correlates various detection results to identify a high-level threat and generate a notable. | Living Off The Land Detection |
Baseline | Helps in the maintenance of the analytic or create a baseline of data that detections can leverage. | Baseline Of Cloud Instances Launched |
Investigation | Searches that leverage tokens and are used in the pre-built panels shipped by ESCU for Investigative Workbench in Splunk Enterprise Security. | AWS Investigate Security Hub alerts by dest |
The following table displays how each type is configured out of the box in the ESCU app.
Analytic type | Create notable | Create risk and threat objects | Triggers playbook | Tied to a dashboard | Runs on CRON schedule | Enabled by default |
---|---|---|---|---|---|---|
Hunting | No | No | No | Yes | No | No |
TTP | Yes | Yes | Yes | No | Yes | No |
Baseline | No | Yes | Yes | No | Yes | No |
Anomaly | No | Yes | No | No | Yes | No |
Correlation | Yes | No | Yes | No | Yes | Yes |
Investigation | No | No | No | Yes | No | No |
Components of a detection analytic | Status of detection analytics |
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.41.0, 3.42.0, 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0
Feedback submitted, thanks!